Skip to content

Two-factor authentication

Two-factor authentication (2FA) adds a second check to your sign-in. After you enter your password, Sparqbox asks for a 6-digit code from your authenticator app. Even if someone else learns your password, they still can't sign in without the code.

You set up 2FA from your account security page.

  1. Click your avatar in the top right and open AccountSecurity.
  2. In the Two-factor authentication card, click Set up authenticator app.
  3. Open your authenticator app (Google Authenticator, Authy, 1Password, Bitwarden, or any TOTP-compatible app) and scan the QR code.
  4. Enter the 6-digit code the app shows to confirm the setup is working.
  5. On the next screen, copy and save your 10 recovery codes. This is the only time they are shown in full. Store them somewhere safe.
  6. Click Done.

After enrolment, every new sign-in session will prompt for a 6-digit code after the password step.

  1. Enter your email and password as usual.
  2. When prompted, open your authenticator app and enter the current 6-digit code.
  3. Click Verify.

The code refreshes every 30 seconds in your authenticator app. If the code is about to expire, wait for the next one.

On the verification step you'll see a Trust this device for 30 days checkbox. Tick it before clicking Verify and that browser won't ask for a code again for 30 days.

Trusted devices are tied to your browser profile. Clearing your cookies or switching browsers removes the trust, so you'll be prompted again.

To see which devices are trusted and revoke any of them, go to AccountSecurityTrusted devices. See Trusted devices below.

If you can't reach your authenticator app, click Lost your phone? Use a recovery code on the verification screen and enter one of your 10 single-use backup codes instead.

Using a recovery code signs you in and immediately disables your 2FA factor. You land back at standard sign-in (single factor). If your workspace requires 2FA for all members, you'll be taken directly to the 2FA setup screen to re-enrol. See Recovery codes below.

When you first set up 2FA, Sparqbox generates 10 backup recovery codes. Each code is single-use and in the format xxxx-xxxx-xxxx.

Recovery codes are your safety net when you can't access your authenticator app — for example, if you lose your phone or switch apps.

Recovery codes are shown once, at enrolment. After that, you can regenerate a new set from AccountSecurityRecovery codesGenerate new codes.

On the 2FA prompt at sign-in, click Lost your phone? Use a recovery code and type one of your saved codes. The code is consumed after use and cannot be reused.

After using a recovery code, your 2FA factor is cleared. Enrol a new authenticator app as soon as you're signed in to restore full account security.

The Trusted devices card on AccountSecurity lists every browser that has been granted a 30-day trust for your account.

Each entry shows:

  • The browser or device identifier.
  • The date the trust was granted.
  • A Revoke button.

Clicking Revoke invalidates that device's trust immediately. The next time that browser signs in, it will be asked for a 6-digit code again.

Devices expire automatically after 30 days whether you revoke them or not.

Step-up verification for sensitive actions

Section titled “Step-up verification for sensitive actions”

Some actions inside Sparqbox require you to confirm your identity mid-session, even if you're already signed in. This is called a step-up verification.

When a step-up is required, a prompt appears asking for your 6-digit code (or a recovery code). If your device is trusted, the step-up is bypassed automatically.

Step-up verification applies to workspace settings changes, billing actions, and similar mutating admin operations.

To remove the authenticator app from your account:

  1. Go to AccountSecurity.
  2. In the Two-factor authentication card, click Disable two-factor authentication.
  3. You may be prompted to verify your identity before the action completes.

Disabling 2FA also invalidates all your recovery codes and removes all trusted devices for your account.

Workspace security settings

Workspace settings covers the admin toggle to require 2FA for all members.

Audit log

Audit log shows where 2FA events appear in the workspace event history.